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random-bit generators (RBGs) are key components of a variety of information processing ap- 
plications ranging from simulations to cryptography. In particular, cryptographic systems require 
"strong" RBGs that produce high-entropy bit sequences, but traditional software pseudo-RBGs 
have very low entropy content and therefore are relatively weak for cryptography. Hardware RBGs 
yield entropy from chaotic or quantum physical systems and therefore are expected to exhibit high 
entropy, but in current implementations their exact entropy content is unknown. Here we report 
a quantum random-bit generator (QRBG) that harvests entropy by measuring single-photon and 
entangled two-photon polarization states. We introduce and implement a quantum tomographic 
method to measure a lower bound on the "min-entropy" of the system, and we employ this value 
to distill a truly random-bit sequence. This approach is secure: even if an attacker takes control of 
the source of optical states, a secure random sequence can be distilled. 

PACS numbers: 03.67.Dd,03.67-a,42.50.-p,42.40.My 



Random numbers are commonly used in computer sim- 
ulations, lotteries, and, most importantly, cryptographic 
applications. Cryptographically strong random numbers 
need to have two properties: good statistical behav- 
ior and unpredictability. The numbers need to be dis- 
tributed according to a unform distribution, and an at- 
tacker should not be able to predict the corresponding 
sequence of bits. Unpredictability is quantified using the 
entropy content of a sequence generated by a random-bit 
generator (RBG) 0. 

The entropy content can be used to grade RBG secu- 
rity, i.e., the ability of the generator to withstand attacks. 
Most applications generate long strings of bits using al- 
gorithms known as pseudo-random number generators, 
with seeds chosen by the user. The entropy content of the 
strings generated in this fashion is small and is ultimately 
determined by the length of the (short) seed. This defi- 
ciency makes pseudo-random numbers unsuitable for the 
most demanding cryptographic applications. This fact 
has been recognized by both the information theory com- 
munity and the computer security industry [l], Q ■ Hard- 
ware RBGs are an alternative to pseudo-RBGs because 
they harvest and distill entropy from physical systems. 
The most recent examples of hardware RBGs stress the 
importance of directly measuring the entropy content of 
the source [3j. 

In principle, random bits could be produced by classi- 
cal physical processes that are too complicated to predict 
perfectly over long times, such as thermal noise. For ex- 
ample, Denker has used thermal noise fluctuations in a 
resistor as a randomness source, and relied on an estimate 
of the entropy of the noise process to extract a random bit 



sequence from digits derived from that source [||. Fur- 
ther, sufficiently powerful data processing systems with 
appropriate models or algorithms may become able to 
predict chaotic or thermal processes, even if only for a 
short time. 

In quantum phenomena the outcome of a class of mea- 
surements is governed by probabilistic laws: the statis- 
tical properties of repeated measurements can be pre- 
dicted, but the result of each measurement is random. 
This irreducible randomness of the quantum phenomena 
is postulated here and is the basis of our RBG. Distin- 
guishing between irreducible quantum randomness and 
classical randomness, that can in principle be controlled 
and influenced, is at the basis of our RBG security. 

Quantum measurements can be easily used to gener- 
ate random bits. For example, if we detect the transmis- 
sion and reflection of a 45°-polarized photon (a "qubit") 
on an horizontal-vertical (H-V) polarizing beam-splitter 
with two photomultiplicrs, each detector has the same 
probability to register an event, but at any given time 
we cannot predict which detector will record the next 
event. By assigning the value to a detection in one 
of the detectors and 1 to the other we can build se- 
quences of random numbers. Similarly, we can use pairs 
of polarization-entangled photons that are described by 
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so that appropriately balanced coincidence measure- 
ments in the H1-V2 and V1-H2 basis yield equiprobable 
outcomes. This type of quantum coin tossing has already 
been exploited for the generation of random bits [1, H, @] . 
None of those quantum RBGs presented a security anal- 
ysis or a method to verify integrity. 

In this work we demonstrate a quantum random-bit 
generator (QRBG) based on measurements made on 
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quantum states that span a 2 x 2 Hilbert (sub)space. 
While there are a number of quantum systems that could 
readily satisfy this constraint, we have emphasized an 
optical implementation because of the ease with which 
quantum states can be generated and measured. We fol- 
low recent work on entropic statistical analysis of random 
sources @, [H, 0; an d we measure a quantity known as 
"min-entropy," , and use the value of to distill a 
random sequence of bits from a series of detection events 
using a hash function. 

Our approach has two main advantages over existing 
QRBGs. First, we are able to measure and monitor con- 
tinuously the randomness of the bits, relying on a physical 
property of the system. We do not rely on a-posteriori 
statistical tests of generated bit sequences, because these 
tests cannot prove randomness unless they analyze infi- 
nite sequences. Second, using this protocol allows us to 
endow an attacker with more capabilities than any other 
RBG: even if she takes complete control of the source 
of optical states, so long as Hoc > a sequence of bits 
nevertheless can be extracted that is arbitrarily close to 
a string of bits that is perfectly random. 9] 

To define and measure the security of a RBG we must 
define the adversarial context in which it operates. In 
such scheme one has to assume that the attacker has 
complete knowledge of the protocol used and can, in prin- 
ciple, control or influence part of it. This is similar to 
the scenarios used for quantum key distribution in which 
the attacker has complete control of the communication 
channels and knowledge of the protocol but has no access 
to the transmission stations. 

In our scenario, the user (Alice) can choose the quan- 
tum system on which she makes a measurement to gen- 
erate random bits but the adversary (Eve) controls the 
state of the quantum system but has no access to the 
measurement apparatus (the tomography setup, in our 
case). Notice that Alice is not allowed to exploit other 
degrees of freedom different from the ones under Eve's 
control. This restriction is due to the fact that one must 
assume an attacker has knowledge of the protocol and 
will try to gain control of the degrees of freedom that 
are actually being used for generating the random num- 
bers. Even using such unfavorable scenario for Alice we 
demonstrate that a secure RBG can be built using such 
assumptions. This is a worst-case scenario: our protocol 
is secure a fortiori if Eve has less than total control of 
the state of the system or if she tries to exploit failures 
in the system to gain knowledge of the random bits. 

One could argue that our adversarial scenario is some- 
what contrived because Eve is not likely to gain control 
of the source. There are two arguments to counteract 
such objection. First, protocol robustness is increased if 
one shows that it is resilient against a larger class of at- 
tacks. Second even if Eve does not control directly the 
degree of freedom used to generate the random numbers 
she can nevertheless take advantage of a system failure 
to gain knowledge of the bits being generated. In this 
respect our protocol is more secure than any other hard- 



ware random number generator we know of. 

In our protocol Alice picks the simplest quantum sys- 
tem, a qubit, and makes a projective measurement to 
generate random bits. In this contest, we believe, sim- 
plicity is a virtue and this is the reason for using a qubit. 
This allows a complete analysis and excludes the possi- 
bilities of extra degrees of freedom used as "back-doors" 
by Eve. More complicated systems might have similar 
security but are outside the scope of this paper. 

Here we implement the qubit in the polarization of 
photons. The polarization state of the photons is con- 
trolled by Eve, but she has no knowledge of the sequence 
of measurements made by Alice except for the basis used 
for the projection measurement used to generate the ran- 
dom bits.pj} For any other hardware RBG one requires 
that Eve has no control over the randomness source while 
in our adversarial scenario she completely controls one 
component (i.e. state preparation) of the source. 

Alice's measurement strategy is consistent with the 
provision of a 2 x 2 Hilbert space (i.e. a qubit), and 
that any state Eve sends to Alice can be represented by 
a 2 x 2 complex density matrix p. For any density matrix 
p, Eve can try to bias the output of the QRBG in a way 
that is known to her, but appears random to Alice, by 
sending a collection of pure states with correspond- 
ing probabilities pi such that 

P = J2p^)(^\'> ( 2 ) 

i 

i.e., she can use any decomposition of p. Eve cannot 
control the outcome of a measurement on the pure state 
(because these probabilities are governed solely by 
the laws of quantum mechanics), but knows at each time 
the state Alice is measuring. How much information can 
Eve obtain in this case about Alice's random sequence? 
Or, in other words, how can Alice separate the quantum 
randomness from the classical one? 

We begin to answer these questions by defining an en- 
tropic quantity known as the min-entropy @: 

Definition 1 The min-entropy of a random variable 
X, denoted by H QO (X), is 

i^(X) = -log 2 (maxP(a;)) (3) 

where P(x) is the probability of a particular outcome of 
the random variable X. For a secure implementation 
the probabilities P(x) should be calculated from the at- 
tacker point of view and a worst-case scenario regarding 
the amount of her knowledge. When so defined the min- 
entropy can be used to determine the quality of a source 
of randomness. For a binary variable, = 1 corre- 
sponds to a completely random process, and = to 
a deterministic one. 

Alice generates n bits by measuring the states provided 
by Eve. If the bits were generated by measuring n times 
a qubit in the pure state \ip) in the computational basis 
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|0), |1), then the min-entropy will be 



nlog 2 (max(|(0|^)| 2 ,|(l|^)| 2 ) 
nlog 2 (max(P ,Pi)). (4) 



This definition can be extended to a decomposition such 
as the one on the RHS of Eq. [2 



(5) 



= -n^p i log 2 (max(P (|^)),P 1 (|^)))) 

i 

= n^piHoo (\ipi){i/>i\) ■ 



Since Alice does not know anything about the decom- 
position that Eve may be using, we will define the min- 
entropy of a state p (denoted H^p)) to be the minimum 
value of the min-entropy taken over all possible decom- 
positions of p. This approach allows us to put an up- 
per bound on the amount of information Eve can obtain 
about Alice's sequence, and to determine the worst-case 
parameters for the randomness extractor that is used be- 
low, [g] 

By assumption, p is a 2 x 2 density matrix, so that 
without loss of generality we can write 



p{Si,S 2 ,S 3 ) = - 



1 + S3 Si — iS 2 
Si + iS 2 1 - S3 



(6) 



where Si 2.3 arc the real Stokes parameters (for So = 1) 
for the qubit space. The point {Si, S 2 , S3) lies inside or 
on the Poincare sphere for physical density matrices. 

Definition 2 We define the function f{p), which is 
real valued for all physical density matrices, as 



f{p) = - !og 2 



l + ^l-\Si-iS 2 \ 2 



(7) 



We can now state the theorem that is the centerpiece 
of our QRBG algorithm: 

Theorem The min-entropy of a system described by 
an arbitrary density matrix p is 



H oa {p) = f{p). 



(8) 



This theorem can be demonstrated using the following 
three lemmas, which are easily established: [ic| 
Lemma 1 For each pure state \tp) 



H 00 {\i J )^\) = f{\^{ip\). 



(9) 



Lemma 2 The two pure states represented by the den- 
sity matrices 



i \ 1 i 1 ( 1 i Si Si — iS 2 

\V±){V±\ = ^[ Sl+i 3 S2 1 g. 



(10) 



with S3 = y/ 1 — S\ — Sf , are a valid decomposition of 
the density matrix in Eq. [6] 

Lemma 3 The function f [p{Si, S 2 , S3)] is a convex 
function of Si, S 2 , and S3 in the Poincare sphere. 

Using the convexity of / we can write 



/(/5)<$>i/(hWi 



(11) 



for each decomposition of p. Using Eq. \5\ and the result 
of Lemma 1 we obtain 



f{p) <#oo (X>*M>M 



(12) 



indicating that f {p) is a lower bound for H^p). Us- 
ing Lemma 1, we can show that the decomposition of 
Lemma 2 has a min-entropy equal to / {p), and there- 
fore that / (p) is equal to the minimum of Hoo over all 
possible decompositions of p, i.e., / {p) = (p). From 
this demonstration, it follows that the decomposition of 
Lemma 2 is the optimal choice for Eve, since it leads to 
the most pessimistic estimate of the min-entropy of the 
source. 

The theorem provides a link between the density ma- 
trix and the source min-entropy. The latter quantity is 
interesting because of the vast computer science litera- 
ture on entropy extractors (see, e.g., the review papers 
An entropy extractor — such as the example given 
by Ref. used in our work here — is an algorithm that 
accepts an imperfect source of random bits and outputs 
a sequence arbitrarily close to a uniformly distributed se- 
quence (l8| . Given a raw n-bit sequence the algorithm 
allows one to extract an m-bit privacy-enhanced sequence 
which is arbitrarily close to a uniform distribution, where 



J ff 00 n-41og 2 (l/e)-2 



(13) 



and e is the statistical distance between the distribution 
of the to bits and a uniform distribution. We refer the 
reader to Ref. @ for a proof of the security of the extrac- 
tion algorithm, and to Ref. [l(| for the technical details 
of the particular algorithm we implemented. 



We realized the two implementations of the QRBG 
shown in Fig. [T] The first implementation [Fig. [lja)] 
uses a linearly polarized source with average intensity 
at the single-photon level. We used photons extracted 
from pairs generated by spontaneous parametric down- 
conversion (SPDC) in a periodically-poled potassium ti- 
tanyl phosphate (PPKTP) crystal; however, either an 
attenuated laser or LED could have been used instead. 
We used parametric down-conversion in a 10-mm crys- 
tal manufactured by Raicol Crystals with a poling pe- 
riod of 10/im. In the crystal a photon from the violet 
laser diode (13 mW at a wavelength of 405 nm, Sacher 
Lasertechnik, TEC-100-405-20) is split into a pair of or- 
thogonally polarized infrared photons with a wavelength 
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FIG. 1: Schematics of the QRBGs using single-photons (a) and entangled pairs (b). PPKTP is the nonlinear crystal, PBS the 
bulk polarization beam-splitter, FPBS the fiber polarization beam-splitter. 



Real 




FIG. 2: Real and imaginary part of the density matrix for the 
photon pair polarization state used to generate the random- 
bit sequence. 



of 810 nm and a 1-nm bandwidth denned by an interfer- 
ence filter. The photons are coupled into a single-mode 
fiber, propagate through a polarization-controlling stage 
and are split in two approximately equal parts on a fiber 
polarization beam-splitter. The photons are recorded by 
photodetectors, and each detection event is recoded as a 
random bit (0 for horizontally polarized photons, and 1 



for vertically polarized photons). The photons' density 
matrix is tomographically reconstructed off-line [l3 | . Us- 
ing the density matrix and our theorem, we compute the 
min-entropy = 0.96, and we input this value to the 
randomness extractor Q . The raw-bit generation rate is 
60 kbits/s, and the bits are passed to the randomness ex- 
tractor to obtain a bit-generation rate of approximately 
57 kbits/s. A sample file containing 100 million random 
bits thus obtained is available online [13]. 

The second implementation [Fig. Bib)] uses 
polarization-entangled photon pairs described by 
the state of Eq. [1] The entangled photons, generated by 
SPDC in the PPKTP crystal followed by post-selection 
(TH . are sent to polarization controllers, fiber polar- 
ization beam-splitters, and single-photon detectors for 
analysis. Coincidence events are recorded as random 
bits (0 for H1-V2 and 1 for V1-H2). By restricting the 
measurement to the coincidences, we effectively restrict 
the 2-qubit space of the photon pair to a 2-dimensional 
Hilbert subspace described by an effective-qubit state. 
By carrying out a complete tomography of the 2-qubit 
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12j we can extract the effective-qubit density 
matrix and the relative min-entropy. Figure [2] shows 
a reconstructed density matrix corresponding to a 
min-entropy of Hoo = 0.38. Figure [2] shows that the 
fiber birefringence changes the state without affecting 
the min-entropy, and we do not subtract accidental 
coincidences from the tomographic data. (Such a 
correction, in fact, would increase the min-entropy, but 
weaken the security of the protocol). The raw bit rate 
for this QRBG is 14 kbits/s, while the random-bits rate 
is 5.3 kbits/s. Again, a sample file with 100 million 
random bits is available online [l3| . 

We have applied a battery of a posteriori software sta- 
tistical tests to the privacy enhanced output, but we 
stress that these tests are only used to verify that the 
QRBG has been correctly implemented: the guarantee 
of the QRBG security and randomness relies on the mea- 
surement of Hoo . We used the NIST test suite [l4| , which 
consists of a set of 15 statistical tests of random num- 
bers for cryptographic applications. Our QRBGs pass 
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the test, and the detailed test results are given online 

A comparison between the two implementations of 
the QRBG makes it obvious that the single-photon im- 
plementation is simpler and has much higher bit flux. 
The entangled-photon implementation has the advantage 
that, by using coincidences, much of the stray-light noise 
is suppressed. However, by carefully screening the detec- 
tion apparatus, the effect of stray photons can be made 
negligible even in the single-photon case. 

Let us review here the advantages of our quantum RBG 
when compared with other implementations. Compared 
with pseudo-random number generators our hardware 
RNG has the advantage of generating bit sequences with 
full entropy. Other hardware random number generators 
are based on chaotic systems [3J that can be, in princi- 
ple, predicted or influenced; our quantum RNG relies on 
quantum measurements that are, as far as we know, fun- 
damentally random. In addition Ref. (3j uses an estimate 
of the Shannon entropy (not the min-entropy) that is re- 
alized once for all: the user cannot continuously monitor 
the entropy to verify the security and integrity of the 
RBG. Compared with other quantum RBGs [3, [a, @| our 
implementation is the first that explicitly takes into ac- 
count security. To guarantee security the min-entropy 
has to be measured and filtering has to be applied in a 
way that is analogous to the error correction and privacy 
amplification routine used in quantum key distribution 
protocols. References [|| and [f| use an experimental 
setup that is conceptually similar to the single photon 
setup of Fig. [1] whereas the polarization beam splitter is 
substituted with a non-polarizing 50/50 beam splitter. 
For these implementations an attack scenario equivalent 
to the one we have analyzed would involve giving Eve 
control over the beam splitter. She could, for example, 
substitute the beam splitter with a switch and therefore 
completely control the outcome of the RBG. To guaran- 
tee security and integrity of this kind of RBG Alice needs 
to verify that the photons are coherently split among the 
output arms of the beam splitter and that the coher- 



ence is collapsed by her measurement. She can do so by 
making interferometric measurements that are formally 
analogous to the one we make but are more complicated 
from an experimental point of view. For these reasons 
we used the polarization scheme to implement our secure 
RBG. 

A number of improvements in our setup are possible. 
The raw bit rate is currently limited by the data acqui- 
sition hardware, so dedicated hardware can speed up the 
acquisition and eliminate this bottleneck. Eventually the 
bit rate will be limited by the dead time in the detectors. 
Based on a comparison with existing QRBGs [3] we ex- 
pect that rates up to several Mbits/s can be achieved. Us- 
ing off-line tomography relies on the assumption that the 
system state does not change in the interval between the 
measurement of and the acquisition of the random 
bits. While this is the case in the current implementa- 
tion, on-line tomography will both relax this assumption 
and increase the bit rate. We are currently engineering a 
high-performance system in which on-line tomography is 
carried on at the same time as the raw bits are acquired. 
We also observe that at this point the security of the pro- 
tocol is limited to individual attacks; further analysis is 
needed to extend the security proof to attacks in which 
Eve sends Alice clusters of entangled photons. 

In conclusion, we have defined the worst-case min- 
entropy of a qubit and introduced a method to measure 
it using quantum tomography. Based on the properties 
of the min-entropy, we constructed two implementations 
of a self-calibrating random number generator which is 
secure against a large class of attacks. We believe that 
our RBG will have important technological impact in the 
area of secure communications and that, properly ex- 
tended, the min-entropy defined here could prove to be 
an important tool in defining the security of qubit-based 
communication protocols. 

This work was supported by DARPA through seed pro- 
gram number HR001 1-04-3-0040. 
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